Month of MySpace bugs kicks off

Two hackers on Sunday began their planned month of MySpace bugs project that is expected to reveal 30 vulnerabilities this month that affect the popular social networking site.

The pair, known only as Mondo Armando and Mustachio, said on their LiveJournal site on Saturday that they plan to notify MySpace of each bug prior to publication, but they were not hopeful security officials would respond.

"We are not working with MySpace, although we would be happy to," the hackers said, adding they are using the month to highlight the dangers of sites similar to MySpace that have "users of various levels of sophistication."

Over the next few weeks, the hackers said they plan to reveal a variety of bugs, including flaws for cross-site scripting (XSS) attacks or ones that permit unauthorised access to user profiles.

The pair kicked off the initiative with a well-known vulnerability. Users can edit their profiles using cascading style sheet (CSS) language and customise their profile URLs. That means hackers conceivably can create the profiles to resemble the MySpace login page and use a legitimate-sounding URL to trick users into giving up their credentials.

"It’s a pretty light one and we don’t really expect the MySpace Security Squad to actually do a lot of code changes on Sunday," the hackers said.

Today the pair disclosed a vulnerability on the "cms.goto" application of "profile.myspace.com." that is caused by a lack of input validation and can lead to an XSS attack.

A MySpace spokesperson could not immediately be reached for comment.

Jeremiah Grossman, CTO of WhiteHat Security, told SCMagazine.com today that the project underscores the vulnerability of most sites on the web. However, hackers are more likely to target MySpace flaws because the site has more than 130 million members.

"It's just a popular target," he said. "Nothing's necessarily more susceptible about it."

The undertaking is interesting because it focuses on a particular site, not a product or a system component as similar month-long projects have done, Grossman said.

"The popular websites out there are going to have to deal with disclosure just like the Microsoft and Oracles of the world," he said.

MySpace is no stranger to malicious users. In December, the site – the fifth most trafficked web destination, according to Alexa – hosted a patch for Apple after MySpace was hit by a cross-site scripting worm, which took advantage of JavaScript functionality in the QuickTime player used by many users to run videos on their profile pages. The goal of the attack was to steal login credentials and lure users to a pornographic site hosting spyware.

And over the summer, the site suffered from flawed banner ads that hosted the Windows metafile vulnerability, permitting drive-by downloads.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.